Every webhook request includes a signed header so your endpoint can verify authenticity before processing payload data.
X-Spark360-Signature: sha256=<hmac_sha256(secret, raw_body)>
Verify the signature against the raw request body bytes before parsing JSON.
import crypto from 'crypto';
export function verifySignature(rawBody, signatureHeader, secret) {
const incoming = signatureHeader.replace('sha256=', '');
const expected = crypto
.createHmac('sha256', secret)
.update(rawBody, 'utf8')
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(incoming, 'hex'),
Buffer.from(expected, 'hex'),
);
}
